Skip to content

Latest commit

 

History

History
113 lines (71 loc) · 4.96 KB

README.md

File metadata and controls

113 lines (71 loc) · 4.96 KB

openstack-securitygroup-grapher

This ansible role gets information from an openstack tenant and generate a graphical representation of security groups and instances through a dot file rendered by Graphviz

Requirements

The below requirements are needed on the host that executes this module.

  • Ansible >= 2.9
  • openstack.cloud collection
  • ⚠️ Openstack-SDK python library (version >= 0.12.0) needs to be installed, as that is required by the OpenStack Ansible collection.
  • ⚠️ To render (i.e. to draw and obtain a graphic file), Graphviz needs to be installed.

Role Variables

Name Type Description Default
osggrapherCloudInfra string Name of cloud infrastructure (defined in clouds.yml) where your tenant is. (mandatory) no default value
osggrapherShowDefault bool Do you want to see default security group false
osggrapherShowInstances bool Do you want to see instances with their security groups false
osggrapherShowInterfaces bool Do you want to see interfaces with their security groups. Useful with instances with multiple ports with different security groups on each. Easier to read when ports have an name instead an id false
osggrapherShowEgressAnyAnyRules bool Do you want to show egress ANY ANY rules true
osggrapherRankdir string See https://www.graphviz.org/doc/info/attrs.html#d:rankdir LR
osggrapherDotFileToRender string Path and name of generated dot file ./CloudGrapher.dot
osggrapherFileToRender string Path and name of generated image file ./CloudGrapher.png
osggrapherRenderCsvFile bool Do you want to generate a csv file of SG and SG Rules false
osggrapherCsvFileToRender string Path and name of generated csv file ./CloudGrapher.csv
osggrapherRenderMdFile bool Do you want to generate a markdown file of SG and SG Rules false
osggrapherMdFileToRender string Path and name of generated markdown file ./CloudGrapher.md
osggrapherFilter string String (begin with) to filter instances and security groups name 'no default value

👉 If you are in a mutualized tenant, you'll probably want to filter information.

To do that, you will have to use the osggrapherFilter parameter. For instance, if all your Openstack resources names begin with the same string, for instance WEB, you should probably have security groups named WEB-SG-Something, and virtual machines named WEB-SERVER-Something, then you can filter on your resources with:

osggrapherFilter: WEB

Example Playbook

---
- name: Security group grapher
  hosts: localhost
  connection: local
  gather_facts: false
  roles:
    - role: openstack-securitygroup-grapher
      osggrapherCloudInfra: MyCloud

Examples of generated images

How to read the graph

Ellipses are security groups.

The red arrows represent egress flows: for example, the UDP stream 53 is authorized as output of SG-VPC-INTERNAL to 10.xxx.yyy.zza.

The blue arrows represent ingress flows: for example, tcp stream 443 is allowed as input of SG-VPC-LB from any (0.0.0.0/0)

The arrow head is always on the security group which contains the rule represented by the arrow.

Full example

It shows a tenant with several security groups corresponding to the different functions of the machines present in the project.

Example

Simpler example

It shows in particular a SG that accepts any input from any source and a SG that allows any output to any destination.

Example

osggrapherShowDefault

With osggrapherShowDefault: true, you'll have on your graph all the SGs, included the default Openstack SG:

Example

osggrapherShowInstances

With osggrapherShowInstances: true, you'll have on your graph all the instances (VM) within SGs used by these instances.

Example

osggrapherShowInterfaces

With osggrapherShowInterfaces: true, you'll have on your graph all the network interfaces (with their ip addresses) using each security groups.

This visualization is usefull when your instances have multiple network interfaces and you use different security group on different network interfaces.

Obviously, this visualization is easier to read when you take care to name your network interfaces with human readable names.

Example

osggrapherRankdir

With osggrapherRankdir: LR, left to right, RL, right to left, TB, top to bottom, BT, bottom to top, you can change the way to draw the graph.

LR example

Example

TB example

Example

Author Information

Jean-Louis FEREY